There is no starker reminder of how important it is to use unique passwords for each and every online account than when you hear someone’s voice invading your home through your home security system…and they got there reusing one of your passwords. Yes, that is scary and a massive invasion of privacy that gives one the chills to just think about it, but knowing that the voice is coming through your Nest camera and watching you too, well that’s just super creepy. A hacker did this by taking advantage of reused passwords on peoples’ Nest cameras.

The hacker, who claims to try to be gaining street cred to become a “white hat” hacker (or good hacker), calls himself SydeFX. He told Motherboard that he used credential stuffing and gained access to somewhere close to 300 Nest cameras and asked the victims to subscribe to the YouTuber PewDiePie’s channel. He even waited to watch them subscribe.

Credential stuffing is a type of cyberattack where criminals use usernames and password from past data breaches to gain access into online accounts. People who use the same credentials for multiple accounts are very susceptible to this scam. At the bottom of this article, we detail a simple method to create a unique password for every account that is simple to remember.

This is similar, though feels far more invasive than the stunt pulled by the hacker HackerGiraffe when he printed requests to subscribe to the same channel by printing documents to exposed printers.

Definitely, this is a great time to ensure you are using unique passwords for all of your online accounts. Even if you think they’re silly and don’t really have any important information, they still deserve a unique password. Credential stuffing is an automated way to try many usernames and passwords in a short period of time with the expectation that at least some will result in success. Sadly, they often do. SydeFX claims to have 4,000 unique Nest user account login combinations.

When changing passwords or creating new ones, use at least eight characters. Add in a few numbers and a special character such as the “@” or “#” symbol. Use upper and lowercase letters too. Don’t forget that using personally identifying information, such as your birthdate is not advised. Use something that makes no sense for the safest passwords.

Also, consider shutting off your interior cameras when you are home. While they can be useful in case of a home invasion, they can also be used against you such as in a case like this or another, “less ethical” hacker. If you decide to leave them turned on, carefully consider the placement of them so that they don’t record anything you wouldn’t want someone else to see, such as your bathroom or computer screen.

As always, be sure to keep your apps updated and keep firmware updated on all of your hardware devices. The manufacturers release firmware updates from time to time. Don’t ignore these. If you never changed the default password on those, make sure to do that too, using the same strong password guidelines.

And as a final note, activate multi-factor authentication (MFA) on Nest. It was recently given that option, so just do it. It can prevent someone from getting access to your accounts using only your login name and password.

There was another incident involving the Nest in home camera system recently too. This one will creep you out even more. Someone got into a family’s system and talked to the couple’s baby. Definitely think about where you place those security cameras if you choose to put them inside your home.

Single Collection Of 773 Million Emails And 21 Million Passwords Found For Sale

Published January 18, 2019

Just when you think it’s the biggest collection of breached data ever, another one comes along that’s even bigger. The security expert Troy Hunt wrote this week about a collection of data that shows nearly three-quarters of a million unique email address and password combinations that were posted in cloud storage ready for the taking. This means that if you think your email address has never been stolen before, it most likely has now.

Hunt, who runs the website Have I Been Pwned, was alerted to this collection. After cleaning it up, he came up with 772,904,9991 unique email addresses and 21,222, 975 unique passwords in this “Collection #1” of data. The name actually came from the dump of the data and is part of what leads him to believe it’s a combination of data from several breaches. He also found that much of it had already been in the Have I Been Pwned list, likely from other breaches such as LinkedIn from several years ago.

There are some steps you can take to prevent the reuse of your password if it appears in this collection…and it if isn’t in this group, it’s most likely in another group that can be found on Have I Been Pwned. Hackers reuse passwords to determine if they can get into other websites with them. It’s called “credential stuffing” and is relatively simple to do, with just a little bit of effort. Hunt has even posted YouTube videos of someone doing this and getting access to Spotify accounts with the stolen credentials; it’s rather shocking how elementary and efficient it is.

So, if you reuse any password on more than one website, no matter how unimportant you think the websites are or the data they store may be, change them to be unique. Follow strong password guidelines:

At least eight characters

Combine upper and lower caseletters

Use numbers

Use special characters

Don’t make them dictionary words or proper names

Don’t use personal information such as your birthdate or driver license number

If you just cannot possibly remember all of your passwords, which is what generally leads someone to use the same one over and over, try a new strategy. Try creating a unique string of characters of at least six to use as your base password. Then make a new password for each website you visit using the name of the website and those six characters. For example, if you have an Amazon account (and who doesn’t these days), use “Xu%9T” as your base that is in every password and take the first two letters of the website name, “Am” and create “AXum%9T,” where the first and second characters of the site always go in the same location of your base password string. If you have a Yahoo account, it would be “YXua%9T.” The odds of repeating a password decrease immensely this way.

If you don’t want to do that, there is always the old pen and notebook strategy. Yes, writing them down is generally not recommended. However, it is unlikely that someone will get access to your notebook that you keep at home. Still, this is much better than reusing passwords.

A third option is to use a password manager. Just understand there is a risk of using these. They do generate random and unique passwords for your websites. However, you will need a “master” password to get access to the password manager. And if those sites get breached, whoever did that gets your master password. In fact, this has happened to LastPass and OneLogin in the past. That said, this is a far more secure strategy than reusing passwords on multiple websites.

Now, while some think this is the largest collection of data ever and recently posted, Brian Krebs of KrebsOnSecurity says otherwise. In fact, Krebs contacted the seller and said he was actually “steered” toward other, fresher data. Though the Collection #1 database was for sale at $45, making your password worth $.000002 to a hacker (Krebs did the math), but worth far more to you.

In any case, Krebs has the same advice about passwords and adds to use multifactor authentication (MFA) whenever possible. That is indeed a good tip.

The Collection #1 data has since been removed from the service where it was posted (the cloud service MEGA), but the damage was done. If you did use the same password on other sites, get to it and change them now.

Mystery Document Appears On Thousands Of Printers Asking For YouTube Support

Published January 10, 2019

There’s nothing wrong with a bit of competition between friends…or YouTube stars. It’s apparently a big deal to have the most YouTube followers and up until recently, the king of that was a Swedish game commentator and YouTube personality that goes by the name PewDiePie. His total currently is around 72.6 million followers. That was threatened recently and caused a Twitter user that goes by TheHackerGiraffe to go to bat for the Swede and print messages to accessible printers begging for the recipients to follow PewDiePie.

That random message that just came out of thin air from the printer should not be ignored. In this case, the hacker scanned the Internet looking for open printer ports. As a result, over 50,000 of printers received the message to unsubscribe to the competition, an Indian record label called T-Series, and subscribe the PewDie Pie. As a “bonus,” users were also asked to subscribe to several others.

This isn’t a difficult trick to pull off. In fact, all it takes is using automated scripts to find printers with certain ports open over the Internet. This hacker used a line of code short enough to fit into a single tweet. In 2016, the hacker Weev sent anti-Semitic messages to thousands of printers with these open ports.

So often ports are left open to the Internet. Sometimes it is due to accident or ignorance and other times, laziness. While this incident was relatively harmless, it doesn’t mean the next one will be.

While you think that someone merely sending documents to your printer is harmless, there are other threats to consider should someone get access:

Using the printer to transmit faxes. If the faxes are meant for healthcare organizations or a financial institution, it could lead to healthcare or financial fraud.

Launching Denial of Service (DOS) attacks to the printer. This could cause it to lock up, which means time spent trying to fix it and probably a lot of angry colleagues.

Intercepting print jobs going to the printer.

Installing malware on the printer that could allow remote control of it.

Steps to take to prevent access to your printers:

Use an encrypted connection when accessing the printer’s administrative features.

Use access control lists (ACL) whenever possible.

Certainly do not open the printer’s web interface to the Internet.

Consider disabling allowing printing via IPP or FTP.

Change the default SNMP community names to something strong and less likely crackable.

Keep your printers updated with the latest firmware and drivers.

Destroy and dispose of any internal hard drives on printers you no longer need.

Of course, remember the physical security basics too. Let employees know that it’s necessary to retrieve documents off printers immediately after printing, lest they get sidetracked and forget a confidential document. Secure printers so that those with unauthorized access cannot easily get to them and never let a visitor roam around unescorted. That’s a great opportunity for documents left on printers to be snatched.

Quora Announces Breach And Some Users May Not Even Know They Have Accounts

Published December 5, 2018

This week has been littered with data breach news and sometimes the only reaction one has is a big sigh, when another one is disclosed. The question and answer site, Quora announced a data breach that affected as many as 100 million users. And before you just toss this aside because you’re thinking “Hey, I don’t have a Quora account, so this doesn’t matter,” well…it just might. You see, many users may have accounts they didn’t know they had, so read on.

Quora allows users to post as a named user or anonymous user. The named users are the ones that really have to worry. However, if you have a Facebook or Google account and used those to sign into to Quora, anonymously or not, you may also have been part of this breach. Particularly with Facebook too, those fun little quizzes that pop up now and then may have been attached to Quora, unbeknownst to the quiz takers. That means, you may indeed have an account at Quora and not have known…until now.

So, first regardless of whether or not you received any notification from Quora, change your password to that site. Make it unique to that site only! Don’t skimp on this. It’s also a great example of why you need unique passwords. If you have used the same password as on Quora for another site, you now need to go change those too. Password reuse is real. There are tools that allow the bad actors to perform credential stuffing using login information on many sites, in a short period of time. It is important to use unique login credentials for every single site.

Use strong passwords too. Don’t think it’s OK to get lazy here either. The number one password every year is “123456” or some derivation of it. In the top ten for 2017 is “football.” So don’t use that either. The password crackers already know about these and you can bet they are at the top of the list of passwords for them to try when they are performing these credential stuffing attacks. Make them at least eight characters, include a number, a special character such as the “!” or “$,” and upper and lowercase letters. Just make sure not to click links in any email messages you may receive to change your password. Go into your account and do this. Change your password no matter if you are specifically included in the 100 million or not.

Another problem is for those who logged in a long time ago for a single answer, then never visited that site again. They may not even remember, until you get a notification from Quora or you remember seeing other email messages from the company. Luckily, you can also delete your Quora account altogether. You can find it under the privacy settings. It may take them a while to delete it, but you definitely can do it. You should delete all accounts you no longer use.

Quora is blaming this on a “malicious third party.” Other than that vague statement, we also know they discovered it on November 30. Information that was accessed includes, but is not limited to users’ names, email addresses, passwords, user account settings, IP addresses, and data from any connected social networks, potentially including information of the social media contacts. Use caution when linking online accounts, especially to social media. Also, really take a few moments to consider if you really want to take that Facebook quiz. As we have seen with the Cambridge Analytica incident, perhaps it really isn’t that important to know which pop star or Disney villain, you most resemble.

One of the world’s largest financial institutions has been hit with a cyber intrusion. London-based HSBC announced that an undisclosed number of customers were affected when some online accounts were accessed by unauthorized users between October 4 and 14th. However, it wasn’t from infiltrating the system in some devious attack, according to researchers, but through the technique called credential stuffing.

Credential stuffing means the attackers used stolen information, such as a login and password list purchased on the Dark Web to gain access to the accounts. This is useful because people tend to use the same login credentials for multiple sites across the Internet. However, if you do this, it is a very bad idea, for exactly this reason.

Passwords need to be unique to every single website you log into. They should also be difficult to guess and not contain personal information. For example, your pet’s name is not a good choice.

It’s understandable that you’d want to repeat your passwords. We are overwhelmed with passwords these days. It’s also reaching to expect us to remember each and every one when they are all different. There are ways that can help you.

You can use good old-fashioned pen and paper and write them down. Yes, if you’re doing this at work and you leave that paper accessible to anyone, you are certainly putting your company at a huge risk. So, hide it away and lock it up. Take it out only when and if you need to and guard it like Fort Knox.

Obviously, that is not preferred, but it carries the least amount of risk of someone getting ahold of it, since it’s only accessible to a limited number of people. But it’s still better than using the same password over and over.

You can also use a password manager. There are several available. This is certainly a good way to keep track, since they require a master password to your master account. Just keep in mind that if those companies experience a data breach, as several have, the attackers not only have your master password, but they may have ALL of your passwords. Still, this is better than using the same one on multiple accounts.

To make it a bit easier, try a different technique when creating them. Use a combination of upper and lowercase letters, numbers, and special characters in a base password. Start with that base and add onto it from the website you’re logging into. For example, your base is 7*dLeiK# and to create a unique password when using your Facebook account, you could use 7*dLeiK#FB. Doing this will make it highly unlikely that you’ll ever have the same password on more than one site.

HSBC has offered complimentary credit-monitoring and identity theft protection services to those affected. Just keep in mind that these services won’t prevent fraud or identity theft. They will just alert you if something seems suspicious. This gives you the opportunity to react quickly to these instances.

Even with these services, you should make sure to check your credit reports from all three bureaus every year. To keep a closer eye on them, order one from one of the agencies every four months. You can get them at no charge at annualcreditreport.com.

Information accessed on the victims included names, addresses, and account numbers. And even though passwords were not noted as being accessed, out of extra caution, be sure to change your HSBC online account password as well, even if you weren't notified by them.

Credential Stuffing Key Reason To Have Unique Passwords For Every Account

Published August 31, 2018

Did you hear it was Amazon Prime Day not long ago? If you didn’t, it really caused some people to be frustrated. In fact, many comments were posted on Amazon’s Facebook page about hurried consumers who couldn’t purchase their coveted prizes during this time because the website was slow, crashed, or just did something to prevent them. Well, according to a report from the security firm Shape Security, hackers may have helped cause the problems.

Ok, the report (2018 Credential Spill Report) by Shape Security didn’t explicitly blame hackers for that, but they did find that 90% of all login attempts at online shops are by cybercriminals.

Some key findings from the research:

More than 2.3 billion, yes with a “b” usernames and passwords were “spilled” from 51 organizations last year.

The banking industry in the U.S. loses nearly $50 million per day from credential stuffing attacks.

It takes some time to discover credential spills; An average of 15 months in fact.

What is a credential spill? Well, Shape defines it in the report as “an incident in which a set of usernames and passwords from an organization become compromised.” Hackers use these username and password combinations to attack all kinds of sites, knowing that many users re-use these credentials across multiple websites; even between online shopping and their financial accounts. That’s really a big no-no. Hackers will take these combinations and do a process called “credential stuffing.” They test them on every website they can think of until they succeed. This happens more often than you’d think and far more often than it should.

That’s why security professionals keep going on and on about having unique credentials for every website. It truly is important.

Frequent flyer and award systems are also targeted for this. Hilton loyal customers experienced this a few years ago. And Shape also claimed some hackers will use grocery login credentials to order expensive cheese on the user's dime and resell it to restaurants.

So, follow good login credential practices. Create unique and strong passwords for every site and you can keep the hackers’ grubby fingers off your high-priced cheese.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.